The AssetPluginRegistry contract manages the validity of assets across different version hashes. It includes a deprecation mechanism to invalidate assets globally, regardless of version.
The registerAsset function allows registering an asset as valid for multiple version hashes. However, it doesn't check if the asset has been deprecated before registering it.
Code Snippet
function registerAsset(address _asset, bytes32[] calldata validForVersions) external {
if (!roleRegistry.isOwner(msg.sender)) {
revert AssetPluginRegistry__InvalidCaller();
}
if (_asset == address(0)) {
revert AssetPluginRegistry__InvalidAsset();
}
for (uint256 i = 0; i < validForVersions.length; ++i) {
bytes32 versionHash = validForVersions[i];
if (address(versionRegistry.deployments(versionHash)) == address(0)) {
revert AssetPluginRegistry__InvalidVersion();
}
_isValidAsset[versionHash][_asset] = true;
emit AssetPluginRegistryUpdated(versionHash, _asset, true);
}
}
Impact
This bug allows deprecated assets to be re-registered as valid, potentially bypassing security measures or business logic that led to the asset's deprecation in the first place. This could lead to the use of unsafe or outdated assets in the system.
Scenario
An asset is deprecated using the deprecateAsset function.
Later, an owner calls registerAsset for the same asset.
The asset is now registered as valid for the specified versions, despite being deprecated.
The isValidAsset function will still return false for this asset due to its deprecated status.
This creates an inconsistency between the asset's registered status and its actual validity.
Fix
Add a check for the deprecated status of the asset at the beginning of the registerAsset function:
function registerAsset(address _asset, bytes32[] calldata validForVersions) external {
if (!roleRegistry.isOwner(msg.sender)) {
revert AssetPluginRegistry__InvalidCaller();
}
if (_asset == address(0)) {
revert AssetPluginRegistry__InvalidAsset();
}
if (isDeprecated[_asset]) {
revert AssetPluginRegistry__DeprecatedAsset();
}
// Rest of the function remains the same
...
}
This fix ensures that deprecated assets cannot be re-registered, maintaining consistency with the deprecation mechanism and preventing potential security risks or logical inconsistencies in the system.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/registry/AssetPluginRegistry.sol#L31
Vulnerability details
Vulnerability Details
The
AssetPluginRegistry
contract manages the validity of assets across different version hashes. It includes a deprecation mechanism to invalidate assets globally, regardless of version.The
registerAsset
function allows registering an asset as valid for multiple version hashes. However, it doesn't check if the asset has been deprecated before registering it.Code Snippet
Impact
This bug allows deprecated assets to be re-registered as valid, potentially bypassing security measures or business logic that led to the asset's deprecation in the first place. This could lead to the use of unsafe or outdated assets in the system.
Scenario
deprecateAsset
function.registerAsset
for the same asset.isValidAsset
function will still returnfalse
for this asset due to its deprecated status.Fix
Add a check for the deprecated status of the asset at the beginning of the
registerAsset
function:This fix ensures that deprecated assets cannot be re-registered, maintaining consistency with the deprecation mechanism and preventing potential security risks or logical inconsistencies in the system.
Assessed type
Invalid Validation